Join now!   |   Subscribe   |   Pay an Invoice   |   Sign In
Unclaimed Property Focus
Blog Home All Blogs
Search all posts for:   

 

View all (298) posts »
 

HIPAA and Unclaimed Property

Posted By Administration, Thursday, December 6, 2018

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is intended, in part, to protect patients’ privacy. The law establishes standards for handling and securing potentially sensitive protected health information (PHI).

 

HIPAA is not typically associated with unclaimed property. However, for property holders in the health care field or that work with the health care field, it’s important to understand HIPAA implications. Considerations related to HIPAA most often come into play when dealing with an audit or a voluntary disclosure agreement. Auditors or VDA administrators may ask for information that, when shared, could violate HIPAA provisions.

 

HIPAA precludes covered entities, such as health plans, insurers and providers from disclosing PHI to third parties, with a few narrow exceptions. According to the Department of Health and Human Services, PHI includes demographic information relating to:

  • An individual’s past, present or future physical or mental health or condition.
  • The provision of health care to the individual.
  • Payment for health care that may identify the individual.

 

PHI includes common identifiers, such as name, address, birth date and Social Security number, when they can be associated with health information. It can also include identifiers that could be used to trace an account to a specific medical issue, such as internal account numbers.

 

“There is a general prohibition on disclosure of records dealing with mental health, substance abuse treatment, genetic testing and HIV/AIDS under HIPAA and various federal and state laws, absent patient consent,” said Scott Heyman, partner with Sidley Austin LLP. “Those laws are very strict and without exception. Even if exceptions are available for providing other PHI to third parties, they are not available for those conditions.”

 

HIPAA violations are subject to civil and criminal penalties, so great care needs to be taken to ensure compliance.

 

Three exceptions to PHI disclosure without patient consent exist under HIPAA:

  • Disclosure to public health authorities.
  • Disclosure in health oversight activities.
  • Disclosure for law enforcement purposes.

 

State treasurers and controllers conducting unclaimed property audits are not public health authorities and are not engaged in health oversight activities, so the first two exceptions do not apply. 

 

The “disclosure for law enforcement purposes” exception is broad enough to cover unclaimed property audits. In order to disclose information under the law enforcement exception: 

  • PHI sought must be “relevant and necessary to a legitimate law enforcement inquiry.”
  • The request must be ”specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought.” 
  • “Deidentified information could not be reasonably be used.” 

 

Disclosure is permitted only to law enforcement officials, defined as “an officer or employee” of an eligible agency. Thus, PHI may not be disclosed to private government contractors without patient consent. In contrast, the public health and health oversight exceptions expressly permit disclosure of information to government contractors. 

 

PHI should be retracted from items provided to auditors. 

 

“If they insist that they need PHI for audit purposes, providing the information directly to the state and letting the state decide what to do with it may be a reasonable response,” Heyman said.

 

Redaction can be very time-consuming and one of the more burdensome aspects of an unclaimed property audit in the health care industry. 

 

“Often the information at issue includes things like explanations of benefits, where you’re proving out voids and reissuances,” said Heyman. “Those tend to be copies of paper documents. It means reading those documents and crossing out PHI with a black marker. It’s an intensively manual process, and knowing which boxes contain PHI and which don’t, and blacking them out appropriately, is essential.”  

 

Holders should refer to information from HHS for guidance on de-identifying PHI.

 

Unclaimed property compliance and audits are rarely simple. For holders in the health care space, HIPAA adds yet another compliance layer. 

 

The 2019 UPPO Annual Conference, March 24-27 in New Orleans, will include industry breakouts and an industry focus session for holders in the health care industry to discuss audit trends and compliance issues affecting them. Learn more and register today.

 

 

Tags:  audits  health care  HIPAA  unclaimed property 

Share |
Permalink | Comments (0)
 
Membership Software Powered by YourMembership  ::  Legal